Workspace ONE UEM utilizes ACC and the Credential Escrow Gateway feature to send encrypted skeleton profiles back and forth between the SMIME certificate and Workspace ONE UEM. Learn more about the requirements and architecture behind the Credential Escrow Gateway feature.

System Requirements

The following system requirements are recommended for supporting 100,000 devices in Credential Escrow Gateway.

Escrow Gateway

Up to 100,000 devices

Notes

System Requirements

CPU - 4 cores

Per 8,000 devices, up to a maximum of 32,000 devices (8 CPU/ 16 GB RAM) per application server.

Memory

16 GB

Escrow Gateway uses Redis as it's primary data store. Given Redis is an in-memory database, it is essential to allocate sufficient memory. By default, EG sets the upper bound on the total memory used by Redis to be 8 GB. The remaining memory allocation is available for use by other system processes and applications.

Disk Space

40 GB

Load

*Continuous load of 40 requests per second.

*If you adhere to the recommendations in this table.

Required Network Configurations

Credential Escrow Gateway uses port 443 for inbound API requests from ACC and an outbound connection to send completed and encrypted profiles (skeleton profile from UEM hydrated with Customer uploaded SMIME certificate) back to WS1 UEM.

Source Component

Destination Component

Protocol

Port

ACC

AWCM

HTTPS (inbound to AMCW)

2001 - OnPrem

ACC

AWCM

HTTPS (inbound to AWCM)

443 - SaaS

ACC

Escrow Gateway

HTTPS (inbound to Escrow Gateway)

443

AWCM

ACC

HTTPS (in-bound to ACC)

443

Escrow Gateway

Workspace ONE UEM API

HTTPS (outbound from Escrow Gateway)

443

PKI/Certificate Authority

Escrow Gateway

Open Firewall
Note:

Since the request is going through ACC, please make sure you enable "All Other Components" under Groups & Settings > All Settings > System > Enterprise Integration > Cloud Connector > Advanced

Escrow Gateway Architecture Diagram

The following diagram illustrates the Credential Escrow Gateway components and how those components work with your environment.

Diagram showing the configuration of the Credential Escrow Gateway architecture from device enrollment into Workspace ONE, connecting to the DMX, and connecting to the customer's environment.